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I. REAL PARTY IN INTEREST 

The real party in interest is International Business Machines Corporation, 
which is the assignee of the entire right, title and interest in the above-identified 
patent application. 

II. RELATED APPEALS AND INTERFERENCES 

There are no other appeals or interferences known to Appellants, Appellants' 
legal representative or assignee which will directly affect or be directly affected by or 
have a bearing on the Board's decision in the pending appeal. 

III. STATUS OF CLAIMS 

Claims 17-24 are pending in the Application. Claims 1-16 were cancelled. 
Claims 17-24 stand rejected. Claims 17-24 are appealed. 
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IV. STATUS OF AMENDMENTS 

Appellants have submitted an amendment (January 25, 2008) canceling claims 
1-16 following receipt of the final office action (October 26, 2007). 

V. SUMMARY OF CLAIMED SUBJECT MATTER 
Independent Claim 17: 

In one embodiment of the present invention, a method for providing user 
access to a portion of a web site implemented by an electronic commerce system, the 
web site being accessible by one or more users and comprising a set of on-line stores 
and a set of organizations, each of the on-line stores being associated with one of the 
set of organizations. Specification, page 9, lines 3-5; Specification, page 9, lines 7-9; 
Specification, page 9, lines 14-20; Figure 1, elements 10, 12, 14, 16, 18, 20. The 
method comprises the step of associating each user with a unique identity in the 
system. Specification, page 9, line 26 - page 10, line 2; Specification, page 11, lines 
1-3. The method further comprises associating a user identity with one of a set of 
access roles for a security domain, the access role defining access privileges for the 
user corresponding to the user identity, the security domain comprising a subset of the 
set of organizations and the on-line stores associated with the organizations in the 
subset. Specification, page 10, lines 3-6; Specification, page 10, lines 7-10; 
Specification, page 11, lines 19-24; Specification, page 12, lines 8-13. Additionally, 
the method comprises granting or denying access to a user attempting to access a 
portion of the web site by determining the user identity for the user and determining 
the access role associated with the user identity for the security domain corresponding 
to the portion of the web site subject to the access attempt. Specification, page 10, 
lines 10-18. 

VI. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 
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A. Claims 17-23 stand rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Win et al. (U.S. Patent No. 6,453,353) (hereinafter "Win") in view 
of Gillett et al. (U.S. Patent No. 6,760,711) (hereinafter "Gillett"). 

B. Claim 24 stands rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Win in view of Gillett and in further view of Aull et al. (U.S. Patent 
No. 7,028,180) (hereinafter "Aull"). 

VII. ARGUMENT 

A. Claims 17-23 are not properly rejected under 35 U.S.C. § 103(a) as 
being unpatentable over Win in view of Gillett. 

1. Win and Gillett, taken singly or in combination, do not teach at 
least the following claim limitations. 

a. Claim 17 is patentable over Win in view of Gillett. 
The Examiner cites column 3, lines 28-60; column 4, lines 1-10 and column 8, 
lines 20-40 of Gillett as teaching "the web site being accessible by one or more users 
and comprising a set of on-line stores and a set of organizations, each of the said on- 
line stores being associated with one of the set of organizations" as recited in claim 
17. Office Action (10/26/2007), pages 2-3. Appellants respectfully traverse. 

Gillett instead teaches that the merchants' computers 24(1)-24(N), with the 
assistance of the ISP computer 28, create online stores that are merchant-owned, but 
physically hosted by the ISP computer 28. Column 3, lines 28-31. Gillett further 
teaches that the ISP computer 28 is loaded with commerce server software 30 that 
allows the ISP to host online stores on behalf of the merchants. Column 3, lines 31- 
33. Additionally, Gillett teaches that based on the merchant provided information, the 
ISP-based commerce server 30 creates the merchant's storefront 32 that is kept 
resident at the ISP computer. Column 3, lines 50-53. 

Hence, Gillett teaches using a commerce server 30 to create separate merchant 
storefronts (as illustrated as "Ml Storefront" and "M2 Storefront" in Figure 1 of 
Gillett) for each merchant. 
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There is no language in the cited passages that teaches that each electronic 
commerce system comprises a web site comprising a set of on-line stores and a set of 
organizations . Instead, Gillett teaches separate merchant storefronts for each 
merchant . There is no language in Gillette that teaches that commerce server 30 
creates a web site that comprises a set of on-line stores and a set of organizations . 
Neither is there any language in the cited passages that teaches that each of the on- 
line stores being associated with one of the set of organizations . Therefore, the 
Examiner's cited passages do not teach the above-cited claim limitation as asserted by 
the Examiner. 

Furthermore, the Examiner cites column 3, lines 28-60; column 4, lines 1-10 
and column 8, lines 20-40 of Gillett as teaching "the security domain comprising a 
subset of the set of organizations and the on-line stores associated with the 
organizations in the subset" as recited in claim 17. Office Action (6/20/2007), page 4; 
Office Action (10/26/2007), page 8. Appellants respectfully traverse. 

Gillett instead teaches that Figure 1 shows an online commerce system 20 in 
which customers shop for goods and/or services offered by merchants over the 
Internet 22. Column 3, lines 19-21. Gillett further teaches that the merchants' 
computers 24(1)-24(N), with the assistance of the ISP computer 28, create online 
stores that are merchant-owned, but physically hosted by the ISP computer 28. 
Column 3, lines 28-31. Additionally, Gillett teaches that based on the merchant 
provided information, the ISP-based commerce server 30 creates the merchant's 
storefront 32 that is kept resident at the ISP computer. Column 3, lines 50-53. 
Furthermore, Gillett teaches that the ISP also has a storage or database 34 that stores 
commerce data on behalf of the merchants. Column 3, lines 55-56. Furthermore, 
Gillett teaches that periodically, or in response to a merchant-initiated request, the 
merchant computer 24(1) checks the ISP database 34 to see if any purchase requests 
for the merchant's products have been received. Column 8, lines 20-23. 
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Hence, Gillett teaches creating separate merchant storefronts (as illustrated as 
"Ml Storefront" and "M2 Storefront" in Figure 1 of Gillett) for each merchant. 
Gillett further teaches a database storing commerce data on behalf of the merchants. 
Additionally, Gillett teaches that a merchant computer checks the database to see if 
any purchase requests for the merchant's products have been received. 

There is no language in the cited passages that teaches a security domain 
comprising a subset of the set of organizations . In the context of one embodiment of 
the present invention, a security domain is a set of web pages for which users have a 
defined set of privileges. See Appellants' Specification, page 12, lines 12-13. Neither 
is there any language in the cited passages that teaches a security domain comprising 
a subset of the set of organizations and the on-line stores associated with the 
organizations in the subset . Therefore, the Examiner's cited passages do not teach the 
above-cited claim limitation as asserted by the Examiner. 

In response to Appellants' above argument, the Examiner asserts that Gillett 
teaches that each merchant has special security control over their storefronts. Office 
Action (10/26/2007), page 3. Gillett does teach an asymmetric key generator 40 that 
is used to generate an asymmetric key pair unique to the merchant and associated 
with the merchant's storefront 32. Column 3, lines 64-67. Gillett additionally teaches 
that key pair includes a private key and a public key, which will be used to protect 
and access merchant-owned commerce data stored at the ISP storage 34. Column 4, 
lines 1-3. While Gillett teaches generating a key pair to protect and access merchant- 
owned commerce data, this is not related to a security domain comprising a subset of 
the set of organizations and the on-line stores associated with the organizations in the 
subset . In the context of one embodiment of the present invention, a security domain 
is a set of web pages for which users have a defined set of privileges. See Appellants' 
Specification, page 12, lines 12-13. Therefore, the Examiner's cited passages do not 
teach the above-cited claim limitation as asserted by the Examiner. 
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The Examiner further cites column 3, lines 1-6; column 6, line 10-16; and 
column 8, lines 10-16, 36-46 of Win as teaching "granting or denying access to a user 
attempting to access a portion of the web site by determining the user identity for the 
user and determining the access role associated with the user identity for the security 
domain corresponding to the portion of the web site subject to the access attempt" as 
recited in claim 17. Office Action (6/20/2007), page 4; Office Action (10/26/2007), 
page 8. Appellants respectfully traverse. 

Win instead teaches that a related feature involves, based on the association, 
automatically granting access to the resource to all users who have the role when the 
association is stored; and based on the association, automatically denying access to 
the resource to all users who do not have the role when the association is un-assigned. 
Column 3, lines 1-6. Win further teaches that if the login attempt is successful, the 
system 2 presents the user with a personalized menu that assists the user in 
identifying and selecting a resource. Column 6, lines 10-12. Additionally, Win 
teaches that Figure 3C is a state diagram showing processes carried out when the 
URL is a protected resource and the user is authenticated. Column 8, lines 36-38. 

Hence, Win teaches granting access to the resource to all users who have the 
role when the association is stored; and denying access to the resource to all users 
who do not have the role when the association is un-assigned. 

There is no language in the cited passages that teaches granting or denying 
access to a user attempting to access a portion of the web site by determining the user 
identity for the user and determining the access role associated with the user identity 
for the security domain corresponding to the portion of the web site subject to the 
access attempt . Therefore, the Examiner's cited passages do not teach the above-cited 
claim limitation as asserted by the Examiner. 

In response to Appellants' above argument, the Examiner focuses on column 
6, lines 10-16 of Win as teaching the aspect of attempting to access a portion of the 
web site by determining the user identity for the user and determining the access role 
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associated with the user identity for the security domain corresponding to the portion 
of the web site subject to the access attempt . Office Action (10/26/2007), pages 3-4. 
Appellants respectfully traverse. 

Win instead teaches that users may log in either with a digital certificate or by 
opening a login page URL with a web browser and entering a name and password. 
Column 6, lines 1-3. Win further teaches that in the past, users have had to log in 
individually to each web application that they are authorized to use. Column 6, lines 
3-5. Win additionally teaches that in the preferred embodiment, users always access 
the same login page regardless of the number of resources to which they need access. 
Column 6, lines 5-7. 

Hence, Win teaches a user logging in either with a digital certificate or by 
opening a login page URL with a web browser and entering a name and password. 

There is no language in column 6, lines 10-16 of Win that teaches granting or 
denying access to a user attempting to access a portion of the web site bv determining 
the user identity for the user and determining the access role associated with the user 
identity for the security domain corresponding to the portion of the web site subject to 
the access attempt . Therefore, the Examiner's cited passage does not teach the above- 
cited claim limitation as asserted by the Examiner. 

Further, the Examiner must provide a basis in fact and/or technical reasoning 
to support the assertion that the teaching of having a user use a digital certificate or a 
login page to login necessarily teaches granting or denying access to a user 
attempting to access a portion of the web site bv determining the user identity for the 
user and determining the access role associated with the user identit y for the security 
domain corresponding to the portion of the web site subject to the access attempt . Ex 
parte Levy, 17U.S.P.Q.2d 1461, 1464 (Bd. Pat. App. & Inter. 1990). That is, the 
Examiner must provide extrinsic evidence that must make clear that the teaching of 
having a user use a digital certificate or a login page to login necessarily teaches 
granting or denying access to a user attempting to access a portion of the web site by 
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determining the user identity for the user and determining the access role associated 
with the user identity for the security domain corresponding to the portion of the web 
site subject to the access attempt , and that it would be so recognized by persons of 
ordinary skill. In re Robertson, 169 F.3d 743, 745 (Fed. Cir. 1999). Since the 
Examiner has not provided any such objective evidence, the Examiner has not 
presented a prima facie case of obviousness for rejecting claim 17. M.P.E.P. §§2112. 

b. Claims 18-23 are patentable over Win in view of Gillett 
for at least the reasons that claim 17 is patentable over 
Win in view of Gillett. 

Claims 18-23 each recite combinations of features of independent claim 17, 
and hence claims 18-23 are patentable over Win in view of Gillett for at least the 
above-stated reasons that claim 17 is patentable over Win in view of Gillett. 

c. Claims 20-22 are patentable over Win in view of 
Gillett. 

The Examiner cites Figure 1 of Gillett as teaching "to define the set of 
organizations as a tree structure" as recited in claims 20-22. Office Action 
(6/20/2007), page 5; Office Action (10/26/2007), page 9. Appellants respectfully 
traverse. 

There is no depiction in Figure 1 or description of Figure 1 of Gillett that 
teaches defining a set of organizations as a tree structure. Figure 1 of Gillett instead 
shows a merchant computer 24 being coupled to an ISP 26 via a network 28. This is 
not the same as defining a set of organizations as a tree structure. Therefore, the 
Examiner's cited Figure does not teach the above-cited claim limitation as asserted by 
the Examiner. 

In response to Appellants' above argument, the Examiner additionally cites 
column 5, lines 20-35 and 55-56 of Win as teaching the above-cited claim limitation. 
Office Action (10/26/2007), pages 4 and 9. Appellants respectfully traverse. 
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Win instead teaches that the system 2 enables administrators to implement 
access rules by defining roles that users play when working for an organization or 
doing business with an enterprise. Column 5, lines 21-23. Win further teaches that a 
role may reflect a relationship of a user to the organization (employee, customer, 
distributor, supplier), their department within an organization (sales, marketing, 
engineering) or any other affiliation or function (member of quality task force, hotline 
staff member) that defines their information needs and thus their access rights or 
privileges. Column 5, lines 23-29. Win additionally teaches that roles and resources 
are owned by functional groups within the organization. Column 5, lines 55-56. 

Hence, Win teaches defining roles that users play when working for an 
organization or doing business with an enterprise, such as for example, an employee, 
a customer, a supplier and so forth. 

There is no language in the cited passages that teaches defining the set of 
organizations as a tree structure . The Examiner suggests that storefronts are leaves to 
a tree (see Office Action (10/26/2007), page 4) but does not provide any evidence to 
support such a proposition. There is no language in Win that makes any discussion of 
a tree structure. The Examiner must provide a basis in fact and/or technical reasoning 
to support the assertion that the teaching of defining roles that users play when 
working for an organization (e.g., employee, customer) necessarily teaches defining 
the set of organizations as a tree structure. Ex parte Levy, 17 U.S.P.Q.2d 1461, 1464 
(Bd. Pat. App. & Inter. 1990). That is, the Examiner must provide extrinsic evidence 
that must make clear that the teaching of defining roles that users play when working 
for an organization (e.g., employee, customer) necessarily teaches defining the set of 
organizations as a tree structure, and that it would be so recognized by persons of 
ordinary skill. In re Robertson, 169 F.3d 743, 745 (Fed. Cir. 1999). Since the 
Examiner has not provided any such objective evidence, the Examiner has not 
presented a prima facie case of obviousness for rejecting claims 20-22. 
M.P.E.P. §§2112. 
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The Examiner further cites column 5, lines 33-39 and 54-56 of Win as 
teaching "defining the security domain to include the selected organization and those 
organizations in the set that are descendants of the selected organization" as recited in 
claims 20-22. Office Action (6/20/2007), page 5; Office Action (10/26/2007), page 9. 
Appellants respectfully traverse. 

Win instead teaches that roles are defined by information identifying a name 
of a role and by a functional group in which the role resides. Column 5, lines 34-35. 
Win further teaches that a functional group is often a department in which similar 
functions exist. Column 5, lines 35-37. Win additionally teaches that roles and 
resources are owned by functional groups within the organization. Column 5, lines 
55-56. 

There is no language in the cited passages that teaches defining the security 
domain to include the selected organization and those organizations in the set that are 
descendants of the selected organization . Therefore, the Examiner's cited passages do 
not teach the above-cited claim limitation as asserted by the Examiner. 

d. Claim 23 is patentable over Win in view of Gillett. 

The Examiner cites column 13, lines 50-52; column 15, lines 44-46 of Win 
and column 16, lines 46-53 as teaching "maintaining and providing look up 
functionality for a table comprising rows comprising data representing user identity, 
organization, access role associations" as recited in claim 23. Office Action 
(6/20/2007), pages 5-6; Office Action (10/26/2007), pages 9-10. Appellants 
respectfully traverse. 

Win instead teaches that a preferred arrangement of database tables and forms 
will become apparent. Column 13, lines 50-52. Win further teaches that each user is 
defined by personal information, login and password information, and account 
information. Column 15, lines 42-44. Additionally, Win teaches that preferably, the 
personal information comprises a first name value, a last name value, an email 
address value, and a user type value. Column 15, lines 45-47. Furthermore, Win 
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teaches that, for example, a user is defined in the registry repository as having a 
record type of user, a record name of Harvey, and a role of hotline staff. Column 16, 
lines 47-49. Win further teaches that a field in the administration role record specifies 
whether that user is assigned the "configuration privilege." Column 16, lines 49-51. 
Additionally Win teaches that this privilege allows an administrator to configure and 
maintain servers in the system. Column 16, lines 51-53. 

Hence, Win teaches that each user is defined by personal information, login 
and password information, and account information. Further, Win teaches various 
roles, such as being an administrator, a user may be assigned. 

However, there is no language in the cited passages that teaches maintaining 
and providing look up functionality for a table comprising rows comprising data 
representing user identity, organization , access role associations. Therefore, the 
Examiner's cited passages do not teach the above-cited claim limitation as asserted by 
the Examiner. 

In response to Appellants' above argument, the Examiner simply asserts that 
the registry repository comprises data representing user identity, organization and 
access role associations. Office Action (10/26/2007), page 4. However, as illustrated 
in Table 1 of Win, there is no depiction of data representing organizations . 

Further, the Examiner cites column 13, lines 7-22 of Win as teaching the 
above-cited claim limitation. Office Action (10/26/2007), page 5. Appellants 
respectfully traverse. Win instead teaches that using administration application 114, 
an administrator may find, list, create, delete and modify user, resource and role 
records. Column 13, lines 8-10. Win further teaches that each user record stores 
profile information, which includes the user's first and last names, email address, 
login name, password, locale, whether the account is active or inactive, and when the 
password or account will expire. Column 13, lines 12-16. 

While column 13, lines 7-22 of win teaches storing profile information that 
includes names, an e-mail address, a login name and so forth, there is no language in 
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the cited passage directed to maintaining and providing look up functionality for a 
table comprising rows comprising data representing user identity, organization , access 
role associations. Therefore, the Examiner's cited passage does not teach the above- 
cited claim limitation as asserted by the Examiner. 

2. Examiner's reasoning for modifying Win with Gillett to 
include the missing claim limitations of claim 17 is insufficient 
to establish a prima facie case of obviousness. 

Most if not all inventions arise from a combination of old elements. See In re 
Rouffet, Al U.S.P.Q.2d 1453, 1457 (Fed. Cir. 1998). Obviousness is determined from 
the vantage point of a hypothetical person having ordinary skill in the art to which the 
patent pertains. In re Rouffet, 47 U.S.P.Q.2d 1453, 1457 (Fed. Cir. 1998). Therefore, 
an Examiner may often find every element of a claimed invention in the prior art. Id. 
However, identification in the prior art of each individual part claimed is insufficient 
to defeat patentability of the whole claimed invention. See Id. In order to establish a 
prima facie case of obviousness, the Examiner must show reasons that the skilled 
artisan, confronted with the same problems as the inventor and with no knowledge of 
the claimed invention, would select the elements from the cited prior art references 
for combination in the manner claimed. In re Rouffet, 47 U.S.P.Q.2d 1453, 1458 
(Fed. Cir. 1998). The Examiner must provide articulated reasoning with some 
rational underpinning to support the legal conclusion of obviousness. In re Kahn, 441 
F.3d 977, 988 (Fed. Cir. 2006) (cited approvingly in KSR International Co. v. Teleflex 
Inc., 82 U.S.P.Q.2d 1385, 1396 (U.S. 2007)). 

The Examiner admits that Win does not teach "the security domain 
comprising a subset of the set of organizations and the on-line stores associated with 
the organizations in the subset" as recited in claim 17. Office Action (6/20/2007), 
page 4; Office Action (10/26/2007), page 8. The Examiner asserts that Gillett teaches 
the above-cited claim limitations. Id. The Examiner's reasoning for modifying Win 
with Gillett to include the above-cited claim limitations is "to set up online stores 
while having a centralized ISP provide the security and maintenance of the websites 
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thereby diminishing the threat of misuse of information (Gillett, column 1 lines 35-62 
and column 1 lines 1-15)." Id. The Examiner's reasoning is insufficient to establish a 
prima facie case of obviousness in rejecting claims 17-23. 

As stated above, the Examiner cites column 1, lines 1-15 and 35-62 of Gillett 
as support for the Examiner's reasoning for modifying Win with Gillett to include the 
missing claim limitations of claim 17. Gillett teaches that there is a need for an 
architecture that provides security at the ISP level to thereby reduce the exposure of 
ISPs to liability. Column 1, lines 59-62. There is no language in Gillett (and in 
particular column 1, lines 1-15 and 35-62) that makes any suggestion that by having a 
security domain comprise a subset of the set of organizations and the on-line stores 
associated with the organizations in the subset (missing claim limitations) that the 
threat of misuse of information is diminished (Examiner's reasoning). The Examiner 
has simply cited to arbitrary passages in Gillett that mentions the problems in the 
prior art and that there is a need in the art for an architecture that provides security at 
the ISP level to thereby reduce the exposure of ISPs to liability. The Examiner has to 
provide some rational connection between the cited passages that is the source of the 
Examiner's reasoning and the missing claim limitations. The Examiner's source 
(column 1, lines 1-15 and 35-62 of Gillett) for the Examiner's reasoning for 
modifying Win with Gillett to include the above-cited claim limitations does not 
provide reasons as to why one skilled in the art would modify Win to include the 
missing claim limitations of claim 17. Accordingly, the Examiner has not presented a 
prima facie case of obviousness for rejecting claims 17-23. KSR International Co. v. 
Teleflexlnc, 82 U.S.P.Q.2d 1385, 1396 (U.S. 2007). 

In response to Appellants' above argument, the Examiner points out that 
Gillett suggest that most merchants do not have the wherewithal to manage their 
websites and thus it is an advantage to offload those processes to an ISP. Office 
Action (10/26/2007), page 5. However, the teaching of using an Internet service 
provider (ISP) does not provide any reasons for having a security domain comprise a 
subset of the set of organizations and the on-line stores associated with the 
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organizations in the subset (missing claim limitations). Accordingly, the Examiner 
has not presented a prima facie case of obviousness for rejecting claims 17-23. KSR 
International Co. v. Teleflex Inc., 82 U.S.P.Q.2d 1385, 1396 (U.S. 2007). 

Further, Win addresses the problems of permitting rapid and convenient 
addition of information describing users and resources and propagating the effects of 
changes in the data model throughout the system. Column 2, lines 34-38. The 
Examiner has not provided any reasons as to why one skilled in the art would modify 
Win (which teaches permitting rapid and convenient addition of information 
describing users and resources and propagating the effects of changes in the data 
model throughout the system) to have a security domain comprise a subset of the set 
of organizations and the on-line stores associated with the organizations in the subset 
(missing claim limitations). The Examiner's rationale ("to set up online stores while 
having a centralized ISP provide the security and maintenance of the websites thereby 
diminishing the threat of misuse of information") does not provide such reasoning. 

Why would the reason to modify Win (whose purpose is to permit rapid and 
convenient addition of information describing users and resources and propagate the 
effects of changes in the data model throughout the system) to have a security domain 
comprise a subset of the set of organizations and the on-line stores associated with the 
organizations in the subset (missing claim limitations) be to diminish the threat of 
misuse of information? Win is not concerned with diminishing the threat of misuse of 
information. The Examiner cannot completely ignore the teachings of Win in 
concluding it would have been obvious to modify Win to include the missing claim 
limitations of claim 17. Further, what is the rational connection between diminishing 
the threat of misuse of information (Examiner's motivation) and having a security 
domain comprise a subset of the set of organizations and the on-line stores associated 
with the organizations in the subset (missing claim limitations)? 

Hence, the Examiner's rationale does not provide reasons that the skilled 
artisan, confronted with the same problems as the inventor and with no knowledge of 
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the claimed invention, would modify Win to include the missing claim limitations of 
claim 17. Accordingly, the Examiner has not presented a prima facie case of 
obviousness for rejecting claims 17-23. KSR International Co. v. Teleflex Inc., 82 
U.S.P.Q.2d 1385, 1396 (U.S. 2007). 

3. Examiner fails to provide a rational underpinning for 
modifying Win with Gillett to include the missing claim 
limitations of claims 20-22. 

As stated above, most if not all inventions arise from a combination of old 
elements. See In re Rouffet, 47 U.S.P.Q.2d 1453, 1457 (Fed. Cir. 1998). Obviousness 
is determined from the vantage point of a hypothetical person having ordinary skill in 
the art to which the patent pertains. In re Rouffet, 47 U.S.P.Q.2d 1453, 1457 (Fed. 
Cir. 1998). Therefore, an Examiner may often find every element of a claimed 
invention in the prior art. Id. However, identification in the prior art of each 
individual part claimed is insufficient to defeat patentability of the whole claimed 
invention. See Id. In order to establish a prima facie case of obviousness, the 
Examiner must show reasons that the skilled artisan, confronted with the same 
problems as the inventor and with no knowledge of the claimed invention, would 
select the elements from the cited prior art references for combination in the manner 
claimed. In re Rouffet, 47 U.S.P.Q.2d 1453, 1458 (Fed. Cir. 1998). The Examiner 
must provide articulated reasoning with some rational underpinning to support the 
legal conclusion of obviousness. In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006) 
(cited approvingly in KSR International Co. v. Teleflex Inc., 82 U.S.P.Q.2d 1385, 
1396 (U.S. 2007)). 

The Examiner admits that Win does not teach "to define the set of 
organizations as a tree structure" as recited in claims 20-22. Office Action 
(6/20/2007), page 5; Office Action (10/26/2007), page 9. The Examiner asserts that 
Gillett teaches the above-cited missing limitation of claims 20-22. Id. However, the 
Examiner has not provided any rational underpinning for modifying Win with Gillett 
to include the above-cited missing claim limitation. Hence, the Examiner has not 
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provided a prima facie case of obviousness in rejecting claims 20-22. KSR 
International Co. v. Teleflex Inc., 82 U.S.P.Q.2d 1385, 1396 (U.S. 2007). 

B. Claim 24 is not properly rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Win in view of Gillett and in further view of Aull. 

1. Win, Gillett and Aull, taken singly or in combination, do not 
teach at least the following claim limitations. 

The Examiner cites column 9, lines 6-21 of Aull as teaching "providing user 
identities with associated access roles at user registration to the web site" as recited in 
claim 24. Office Action (6/20/2007), page 6; Office Action (10/26/2007), page 10. 
Appellants respectfully traverse. 

Aull instead teaches that the process for creating a role certificate begins in 
operation 200 where the user 132 via his local client platform 128 accesses the 
registration web server 124 and fills out an electronic form requesting the role 
certificate. Column 9, lines 6-10. Hence, Aull teaches creating a roll certificate . 

There is no language in the cited passage that teaches providing user identities 
with associated access roles at user registration . Neither is there any language in the 
cited passage that teaches providing user identities with associated access roles at user 
registration to the web site . Therefore, the Examiner's cited passage does not teach 
the above-cited claim limitation as asserted by the Examiner. 

In response to Appellants' above argument, the Examiner asserts that Aull 
teaches a roll certification which provides identity and allows the granting of access. 
Office Action (10/26/2007), pages 5-6. Appellants respectfully traverse. Aull teaches 
that what is needed is a method and computer program in which digital "role" 
certificates may be used for both encryption and signature purposes for a group . 
Column 3, lines 45-47. Further, Aull teaches that the possession of such a role 
certificate, by an authorized member of a group issuing the role certificate, should 
enable that person to decrypt messages sent to others within the group that were 
encrypted using the digital certificate . Column 3, lines 47-51. Hence, a role 
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certificate, as taught in Aull, refers to a digital certificate that is used for encryption 
and signature purposes. This is unrelated to providing user identities . Further, this is 
unrelated to providing user identifies with associated access roles at user registration . 
Further, this is unrelated to providing user identities with associated access roles at 
user registration to the web site . Therefore, the Examiner's cited passage does not 
teach the above-cited claim limitation as asserted by the Examiner. 

2. Examiner's reasoning for modifying Win with Aull to include 
the missing claim limitation of claim 24 is insufficient to 
establish a prima facie case of obviousness. 

As stated above, most if not all inventions arise from a combination of old 
elements. See In re Rouffet, 47 U.S.P.Q.2d 1453, 1457 (Fed. Cir. 1998). Obviousness 
is determined from the vantage point of a hypothetical person having ordinary skill in 
the art to which the patent pertains. In re Rouffet, 47 U.S.P.Q.2d 1453, 1457 (Fed. 
Cir. 1998). Therefore, an Examiner may often find every element of a claimed 
invention in the prior art. Id. However, identification in the prior art of each 
individual part claimed is insufficient to defeat patentability of the whole claimed 
invention. See Id. In order to establish a prima facie case of obviousness, the 
Examiner must show reasons that the skilled artisan, confronted with the same 
problems as the inventor and with no knowledge of the claimed invention, would 
select the elements from the cited prior art references for combination in the manner 
claimed. In re Rouffet, 47 U.S.P.Q.2d 1453, 1458 (Fed. Cir. 1998). The Examiner 
must provide articulated reasoning with some rational underpinning to support the 
legal conclusion of obviousness. In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006) 
(cited approvingly in KSR International Co. v. Teleflex Inc., 82 U.S.P.Q.2d 1385, 
1396 (U.S. 2007)). 

The Examiner admits that Win does not teach "providing user identities with 
associated access roles at user registration to the web site" as recited in claim 24. 
Office Action (6/20/2007), page 6; Office Action (10/26/2007), page 10. The 
Examiner asserts that Aull teaches the above-cited claim limitation. Id. The 
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Examiner's reasoning for modifying Win with Aull to include the above-cited claim 
limitation is "because it offers the advantage of providing a method by which all 
parties involved may give their approval to the granting of a role to a user (Aull, 
column 9 lines 10-21)." Id. The Examiner's reasoning is insufficient to establish a 
prima facie case of obviousness in rejecting claim 24. 

As stated above, the Examiner cites column 9, lines 10-21 of Aull as support 
for the Examiner's reasoning for modifying Win with Aull to include the missing 
claim limitation of claim 24. Aull teaches that in operation 205 the user digitally 
signs the electronic role form and transmits it to the registration web server 124. 
Column 9, lines 11-13. Aull further teaches that in operation 210, the registration 
web server 124 queries directory 108 for personal role approvals. Column 9, lines 
13-14. Hence, Aull teaches that the registration web server queries a directory for 
personal role approvals upon receipt of the electronic role form digitally signed by the 
user. 

There is no language in Aull (and in particular column 9, lines 10-21) that 
makes any suggestion that by providing user identities with associated access roles at 
user registration to the web site (missing claim limitation) that the registration web 
server queries a directory for personal role approvals upon receipt of the electronic 
role form digitally signed by the user. Neither is there any language in Aull (and in 
particular column 9, lines 10-21) that makes any suggestion that by providing user 
identities with associated access roles at user registration to the web site (missing 
claim limitation) that all parties involved may give their approval to the granting of a 
role to a user (Examiner's motivation). The Examiner has simply cited to arbitrary 
passages in Aull that discusses the process in creating a role certificate and then 
concludes that the Examiner has provided appropriate reasoning for modifying Win to 
incorporate the above-cited missing claim limitation. The Examiner has to provide 
some rational connection between the cited passage that is the source of the 
Examiner's reasoning and the missing claim limitation . The Examiner's source 
(column 9, lines 10-21 of Aull) for modifying Win with Aull to include the above- 
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cited claim limitation does not provide reasons as to why one skilled in the art would 
modify Win to include the missing claim limitation of claim 24. Accordingly, the 
Examiner has not presented a prima facie case of obviousness for rejecting claim 24. 
KSR International Co. v. Teleflexlnc., 82 U.S.P.Q.2d 1385, 1396 (U.S. 2007). 

In response to Appellants' above argument, the Examiner asserts that "Aull 
provides further motivation for using the registration and roll certificate method in 
that the certificate provides simple and fast methods of indicating proper approval, 
authority or acceptance (Aull, column 2, lines 13-29)." Office Action (10/26/2007), 
page 6. Column 2, lines 13-29 is directed to digitally signing a document. See, for 
example, column 2, lines 26-28. However, the above-cited claim limitation is not 
directed to digitally signing a document. Instead, the above-cited claim limitation 
recites "providing user identities with associated access roles at user registration to 
the web site." Hence, the Examiner has not provided reasons as to why one skilled in 
the art would modify Win to include the missing claim limitation of claim 24. 
Accordingly, the Examiner has not presented a prima facie case of obviousness for 
rejecting claim 24. KSR International Co. v. Teleflex Inc., 82 U.S.P.Q.2d 1385, 1396 
(U.S. 2007). 

Furthermore, as stated above, Win addresses the problems of permitting rapid 
and convenient addition of information describing users and resources and 
propagating the effects of changes in the data model throughout the system. Column 
2, lines 34-38. The Examiner has not provided any reasons as to why one skilled in 
the art would modify Win (which teaches permitting rapid and convenient addition of 
information describing users and resources and propagating the effects of changes in 
the data model throughout the system) to provide user identities with associated 
access roles at user registration to the web site (missing claim limitation). The 
Examiner's rationale ("because it offers the advantage of providing a method by 
which all parties involved may give their approval to the granting of a role to a user") 
does not provide such reasoning. 
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Why would the reason to modify Win (whose purpose is to permit rapid and 
convenient addition of information describing users and resources and propagate the 
effects of changes in the data model throughout the system) to provide user identities 
with associated access roles at user registration to the web site (missing claim 
limitation) be to provide a method by which all parties involved may give their 
approval to the granting of a role to a user? Win is not concerned with providing a 
method by which all parties involved may give their approval to the granting of a role 
to a user. The Examiner cannot completely ignore the teachings of Win in concluding 
it would have been obvious to modify Win to include the missing claim limitation of 
claim 24. Further, what is the rational connection between providing a method by 
which all parties involved may give their approval to the granting of a role to a user 
(Examiner's motivation) and providing user identities with associated access roles at 
user registration to the web site (missing claim limitation)? Hence, the Examiner's 
rationale does not provide reasons that the skilled artisan, confronted with the same 
problems as the inventor and with no knowledge of the claimed invention, would 
modify Win to include the missing claim limitation of claim 24. Accordingly, the 
Examiner has not presented a prima facie case of obviousness for rejecting claim 24. 
KSR International Co. v. Teleflex Inc., 82 U.S.P.Q.2d 1385, 1396 (U.S. 2007). 
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VIII. CONCLUSION 

For the reasons noted above, the rejections of claims 17-24 are in error. 
Appellants respectfully request reversal of the rejections and allowance of claims 17- 
24. 

Respectfully submitted, 
WINSTEAD P.C. 
Attorneys for Appi 



P.O. Box 50784 
Dallas, Texas 75201 
(512) 370-2832 




Robert A. Voigt, Ji 
Reg. No. 47,159 
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CLAIMS APPENDIX 

17. A method for providing user access to a portion of a web site implemented by 
an electronic commerce system, the web site being accessible by one or more users 
and comprising a set of on-line stores and a set of organizations, each of the said on- 
line stores being associated with one of the set of organizations, the method 
comprising the steps of: 

associating each user with a unique identity in the system; 

associating a user identity with one of a set of access roles for a security 
domain, the access role defining access privileges for the user corresponding to the 
user identity, the security domain comprising a subset of the set of organizations and 
the on-line stores associated with the organizations in the subset; and 

granting or denying access to a user attempting to access a portion of the web 
site by determining the user identity for the user and determining the access role 
associated with the user identity for the security domain corresponding to the portion 
of the web site subject to the access attempt. 

18. The method of claim 17 in which the step of carrying out the determination of 
the access role associated with a user identity for a security domain occurs at user 
logon time. 

19. The method of claim 17 in which the set of access roles comprises registered 
customer and administrator roles. 

20. The method of claim 17 in which the set of organizations is a tree structure, 
the step of associating a user identity with one of a set of access roles further 
comprises the step of associating the user identity with the access role for a selected 
one of the set of organizations, 

the security domain includes the selected organization and those organizations 
in the set that are descendants of the selected organization, and 
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the step of granting or denying access by determining the access role 
associated with the user identity for the security domain comprises determining the 
access role for the user identity by traversing the tree structure of organizations 
commencing at the selected organization and including the ancestor organizations to 
the selected organization. 

2 1 . The method of claim 1 8 in which 

the set of organizations is a tree structure, 

the step of associating a user identity with one of a set of access roles further 
comprises the step of associating the user identity with the access role for a selected 
one of the set of organizations, and 

the security domain includes the selected organization and those organizations 
in the set that are descendants of the selected organization. 

22. The method of claim 19 in which 

the set of organizations is a tree structure, 

the step of associating a user identity with one of a set of access roles further 
comprises the step of associating the user identity with the access role for a selected 
one of the set of organizations, and 

the security domain includes the selected organization and those organizations 
in the set that are descendants of the selected organization. 

23. The method of claim 20 in which the step of associating a user identity with 
one of a set of accessible roles comprises entering data in a table comprising rows 
comprising data representing user identity, organization, access role associations. 

24. The method of claim 17 in which the step of providing user identities with 
associated access roles occurs at the time of user registration to the web site. 
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EVIDENCE APPENDIX 

No evidence was submitted pursuant to §§1.130, 1.131, or 1.132 of 37 C.F.R. 
or of any other evidence entered by the Examiner and relied upon by Appellants in 
the Appeal. 
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RELATED PROCEEDINGS APPENDIX 

There are no related proceedings to the current proceeding. 



Austin_l 525091v.l 



25 



